hxxps://github[.]com/kh4sh3i/Ransomware-Samples

Resubmissions

06-12-2024 18:24

241206-w2jhxs1jax 10

06-12-2024 18:22

241206-wzy6lawnen 7

06-12-2024 18:15

241206-wwd19azqas 9

06-12-2024 18:09

241206-wrmgtszngy 6

Analysis

max time kernel
168s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 18:15

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/kh4sh3i/Ransomware-Samples

Score

9^/10

bootkit discovery persistence ransomware upx

Malware Config

Signatures

Renames multiple (168) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 3 IoCs

pid	Process
1520	protect.exe
3972	assembler.exe
4756	overwrite.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
26	raw.githubusercontent.com
55	raw.githubusercontent.com
56	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	overwrite.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x001100000001b34e-454.dat	autoit_exe
behavioral1/memory/4244-645-0x0000000000FC0000-0x000000000124E000-memory.dmp	autoit_exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4244-423-0x0000000000FC0000-0x000000000124E000-memory.dmp	upx
behavioral1/memory/4244-645-0x0000000000FC0000-0x000000000124E000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 3 IoCs

pid	pid_target	Process	procid_target
824	3512	WerFault.exe	113
1344	5020	WerFault.exe	120
4184	2848	WerFault.exe	123

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptowall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	protect.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assembler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	overwrite.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "59"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133779825720543216"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4664	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2284	chrome.exe
2284	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe
1520	protect.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4032	OpenWith.exe
4664	vlc.exe
1520	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2284	chrome.exe
2284	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
4664	vlc.exe
4664	vlc.exe
4664	vlc.exe
4664	vlc.exe
4664	vlc.exe
4664	vlc.exe
4664	vlc.exe
4664	vlc.exe
4664	vlc.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
4664	vlc.exe
4664	vlc.exe
4664	vlc.exe
4664	vlc.exe
4664	vlc.exe
4664	vlc.exe
4664	vlc.exe
4664	vlc.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4032	OpenWith.exe
4664	vlc.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 4764	2284	chrome.exe	83
PID 2284 wrote to memory of 4764	2284	chrome.exe	83
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4204	2284	chrome.exe	84
PID 2284 wrote to memory of 4216	2284	chrome.exe	85
PID 2284 wrote to memory of 4216	2284	chrome.exe	85
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86
PID 2284 wrote to memory of 3500	2284	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/kh4sh3i/Ransomware-Samples
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb906acc40,0x7ffb906acc4c,0x7ffb906acc58
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,1492977527175010907,3405439772282343968,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,1492977527175010907,3405439772282343968,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,1492977527175010907,3405439772282343968,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2464 /prefetch:8
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,1492977527175010907,3405439772282343968,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,1492977527175010907,3405439772282343968,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4620,i,1492977527175010907,3405439772282343968,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4632 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5032,i,1492977527175010907,3405439772282343968,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5200,i,1492977527175010907,3405439772282343968,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5044,i,1492977527175010907,3405439772282343968,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4800

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:964

C:\Users\Admin\Downloads\cryptowall.exe
"C:\Users\Admin\Downloads\cryptowall.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 476
  2⤵
  - Program crash
  PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3512 -ip 3512
1⤵
PID:1972

C:\Users\Admin\Downloads\cryptowall.exe
"C:\Users\Admin\Downloads\cryptowall.exe"
1⤵
PID:5020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 448
  2⤵
  - Program crash
  PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5020 -ip 5020
1⤵
PID:3284

C:\Users\Admin\Downloads\cryptowall.exe
"C:\Users\Admin\Downloads\cryptowall.exe"
1⤵
PID:2848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 452
  2⤵
  - Program crash
  PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2848 -ip 2848
1⤵
PID:2192

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4032
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\cryptowall.bin"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4664

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1520
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play "C:\Users\Admin\Downloads\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887"
  2⤵
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:2324
- - C:\Windows\SysWOW64\unregmp2.exe
    "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2088
  - - C:\Windows\system32\unregmp2.exe
      "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
      4⤵
      Enumerates connected drives
      PID:2108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4412

C:\Users\Admin\Downloads\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
"C:\Users\Admin\Downloads\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4244
- C:\Users\Admin\20876929\protect.exe
  "C:\Users\Admin\20876929\protect.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1520
- C:\Users\Admin\20876929\assembler.exe
  "C:\Users\Admin\20876929\assembler.exe" -f bin "C:\Users\Admin\20876929\boot.asm" -o "C:\Users\Admin\20876929\boot.bin"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3972
- C:\Users\Admin\20876929\overwrite.exe
  "C:\Users\Admin\20876929\overwrite.exe" "C:\Users\Admin\20876929\boot.bin"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:4756

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38e8055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
PID:2336

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\20876929\assembler.exe

Filesize
589KB

MD5
7e3cea1f686207563c8369f64ea28e5b

SHA1
a1736fd61555841396b0406d5c9ca55c4b6cdf41

SHA256
2a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2

SHA512
4629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3

Download Submit
C:\Users\Admin\20876929\boot.asm

Filesize
825B

MD5
def1219cfb1c0a899e5c4ea32fe29f70

SHA1
88aedde59832576480dfc7cd3ee6f54a132588a8

SHA256
91e74c438099172b057bedf693d877bd08677d5f2173763986be4974c0970581

SHA512
1e735d588cb1bb42324eaff1b9190ec6a8254f419d1ba4a13d03716ff5c102a335532b573a5befb08da90586e5670617066564ef9872f8c415b9a480836df423

Download Submit
C:\Users\Admin\20876929\boot.bin

Filesize
512B

MD5
90053233e561c8bf7a7b14eda0fa0e84

SHA1
16a7138387f7a3366b7da350c598f71de3e1cde2

SHA256
a760d8bc77ad8c0c839d4ef162ce44d5897af6fa84e0cc05ecc0747759ea76c2

SHA512
63fda509cd02fd9d1374435f95515bc74f1ca8a9650b87d2299f8eee3a1c5a41b1cb8a4e1360c75f876f1dae193fdf4a96eba244683308f34d64d7ce37af2bb4

Download Submit
C:\Users\Admin\20876929\overwrite.exe

Filesize
288KB

MD5
bc160318a6e8dadb664408fb539cd04b

SHA1
4b5eb324eebe3f84e623179a8e2c3743ccf32763

SHA256
f2bc5886b0f189976a367a69da8745bf66842f9bba89f8d208790db3dad0c7d2

SHA512
51bc090f2821c57d94cfe4399b1f372a68d2811ea0b87d1ac1d6cf8ae39b167038ac21c471b168f1d19c6b213762024abb7e9e5ca311b246b46af0888289e46c

Download Submit
C:\Users\Admin\20876929\protect.exe

Filesize
837KB

MD5
fd414666a5b2122c3d9e3e380cf225ed

SHA1
de139747b42a807efa8a2dcc1a8304f9a29b862d

SHA256
e61a8382f7293e40cb993ddcbcaa53a4e5f07a3d6b6a1bfe5377a1a74a8dcac6

SHA512
9ab2163d7deff29c202ed88dba36d5b28f6c67e647a0cadb3d03cc725796e19e5f298c04b1c8523d1d1ee4307e1a5d6f8156fa4021627d6ca1bbd0830695ae05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2c25eed6b47be3e90983e664bde7460c

SHA1
2e0c2c2bce7a496daddbe78b0b98688831c20cce

SHA256
0a6da5c2d042cb73c45ab813c424ee6dd5d2c253ddd9f752858d2cd849f5f949

SHA512
e8c7c59b6277eb4781da53ef62d1489075cf082bab5a2017351c66a85d5d15d529d0275b98359a329eb4dc1315b13a5b362a262229e53c226d4d2780a908d1d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f51b51054462882fd50e65b8226fabdb

SHA1
e1b23eb9086d94fbc6dfa56c8476a508f0993668

SHA256
0c9a301966ef239972c5b48481efd77c7b3ea9d4a01dd26b60e5a0f754bf2b10

SHA512
8f30256b21167a96f18efc961c024dc474b44587807ac12390edd9057e7bda9cedb8153b75d95a5751988e1eea763662483ec897f327d5f555bc54a522dc8724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\08ad58df-0af0-4fd9-b8ee-55abf2eb97dc.tmp

Filesize
1KB

MD5
aff3eb0f94ee49c652e9c557b071320b

SHA1
43ccda7c044d39a9cacb3d9fa6a6d8a4ee784529

SHA256
e13ba4646309154c36c0b455b7f9431349c48e97ced4a06c41674227fca920d4

SHA512
ee12f272a14739aa8eb0d5d73be6c287690d6fc5a1dddaea2358e000bdfad6bd01aed2e516f9ffd32366cb192cc675142fc7ad5cce54fa7b68a76715b8237e67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
69f91a8bb59151a55a3a601a31476b80

SHA1
ebe34f6a0dafcbd8215d8033fd31dc514f1c32dd

SHA256
71313bb7e874cda51899cb3b97aba839158b29fa72aaa648ee081b2ff3820ca8

SHA512
c00b7921da223aa044cf92fad5729b9103d2691d5f5027307ea230f1af4d3dee27e5bcc6e0d095babda0aa7511e99f1a50dad096a5e19af7e464cab6b3127acf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7f73a7a0b133763648e433db6144cec1

SHA1
152a0550bf0ef27abdefcdc690a24be7b8a2e891

SHA256
4f5f772209c9f5987138501445f9e7171c5d57add6cdefa80f0e0d69511beb70

SHA512
6a8d7830a6f56d4320ec1c3449954c5ac554ae34a2fb9abda421f10d791a7c38995f6429ba877824ae8c5e1facdbc9fa59bfa6728528f07b03bd77edad09a945

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1ef63a1158b2fd6cb669e470a92ed56c

SHA1
b32a39ed4251b84b5f02b5001a2f4ed58f76c4ef

SHA256
20956e0ac21b88a48efd2bc0c186aacd5ad5d03e70d7bc22abd741e0b3c7c7a0

SHA512
1791b937c3adbad7d4e454c326ee0b433bc5ba340e851c111beb6094e2754b056d9ec873892d41942e7dd1e6c40bdd93b8ca8dae6cf5d585bab72eb9faac5ffb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
be8caeebf85ac8b01008390bc58cae71

SHA1
fee02873da4742875f734c4a55daf290f46e03ce

SHA256
c03b683b9ec16ce71227fcff81bb2722e901e61d8166e9871618872ed3ab3788

SHA512
934545b84023bba114f28698228420c3707af2650b8415668e87b6c16d6e07b2ef66015e562b557f68a3f091f12363e72e4ce51f160e32a74e7ac56983acd0c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6d50b37469b6d1e1033ff79af7b9349f

SHA1
ce42be57d188172608fafb4a1bd3405ddf6e9fce

SHA256
4282041df58923d02201ce9e8bfc621d7c9a12cd08b0162a73d97dabe59c4179

SHA512
ce518cf8480aff14327a3474bb7045ed0a538436b2acf7f2de29f3f48c3f87b8256cba4427a7098398c28f05ad0309816830056ef1a6542bcd5d28e2db8fda66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
db708be7545e21a4824ee38936cca3a4

SHA1
e0b0d8f527762ebd9e3f65c68136216ef11c953d

SHA256
0204523d76093f8ba4728fb71e95ad7728404243afe21376d10e41d4cb4a3b1a

SHA512
5c3f107d8ba01db9dc75ac44025684e2e9b13f6d3896e922c906e397c1ee5640bc93b115a2211b8370a6a48c454a0eafb106245f081837d7bca09fd74d5cb135

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3a1a30208522b7891f09c097da31db00

SHA1
235e689c037ac77b97a82ee96dcf595f4f9c41eb

SHA256
f47a54dba8b5c1977c1d4661cf123ce3c490753e48ed427b8013532ab0785cf2

SHA512
0d76686801cac35946c7a5c0d8bdfb77163f8559c5d7715e5c1dcbb86aa9d8dcbcabdb24322ad33e27692733a966908f6e65d29ecaf39956bf239192172f962d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f0abc0225e3fd8cede997136148013ed

SHA1
754caf5fd55d6d634065dd5e9e8303c3cc8478f7

SHA256
f9a25c0d543987e85932403115fa52097f306758d2cfafc25cf5daf802c55da7

SHA512
4b0425f04fe9ba32af8746517289c0eeafd17e34ef05aa9d8070c0597dfe1f75433d3ebd06a71717ed3542911a003b71f14a45926bca036d14343e0abf1009a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
86ed6f055c2fd7fbc97428453b5b6255

SHA1
3e64218d2a734d60952fa1e6837598ae26f445d5

SHA256
5f38b349084d6fa07dd198bcd0b21ac3d08a4b9f0013faf7f14267abc26b2f63

SHA512
ac9d3c80778afb4e08b6db9b08881ae6840cf58ffe7131c517a0995810bdcff01df4ffaa634f2b87edce33ff042893a265cc57decfe430fdbd2d79bfd8413ea6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
06b57e4477f3652fba6ac3b3166ad696

SHA1
c380f8b80eb7e73ea84c9c1c7da1e8b474accf89

SHA256
e51b542115fe47d7cf277f76c152b0eb38a729dacdb5b56904dc6660f88b1f72

SHA512
ec9bb8f2b8e843fb7034d890b1c5d042382c600dad64d32f26ee0244e54901cc40cbd64851cbc3e2a60ff780bba8affa9540591d2db9006429be8341c79e66f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a23b2d09463bc3624f177d6b865a72a3

SHA1
38e2e1a59bb7577d951ad580cd919ab6b1cec847

SHA256
d50b1dca2b57b743faf37cabea7d15dc58c5ebed2743fc2098f6877beeecbe41

SHA512
4e0962331013068d34a239d62f5b55f775416c062838c39a614c7e73695bb619f61fa167a8d3d989b9b6ea6821bc7ea919eae40f77244df9f1a60111e7ef98b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3f3e618922889a8db88fc5fe5b03f715

SHA1
6b1f95b6176419aefda26aa177aa6347a793c5b8

SHA256
83ea40ae8d313531f0c4dba2ad36592427d9cfd81eed6a96196fad2305a2ea54

SHA512
eab78ddbac9c99d60b14d1f05e20a24a4d7ba289528ea659051c095b5331134f890786afd2861b6c07cfe9ea5593f00240461780b0fae6bd2723ada6e01d0893

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
91e32d7b5aed10133650302c2401c70b

SHA1
443205ec09ada7f47facaa7fdab6901952e57e72

SHA256
c71f4347de2406bb4511b2b1c9d56ccfaa7a25e7dba0ec4cfcc7372001dc2058

SHA512
8d6a6d9ea079bb1177ecb562d592e6781b62c4405caacc66a43c8452ed05194c5f3ad2277ef8b684ed3d9518fe54d461ddeaa7a7983915afe96bdf21a46c45b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e9161ed9ea862f9f295f14179ac7f72a

SHA1
7351528a8078a7624074671a2826f9f9e2fab3df

SHA256
b66c9dcfd2a03f1997d4da0ad72dfe583139f476f2da8d73bbf3cc5e0bdc0fa4

SHA512
466ca378cda45c2c4e1e2da8708ad7d29a417f1b95cb57e30cf2e0f1345099339c0cd2aa386fce433a728e8a9975bc6d2cc7419c9efbdfb173c2878d8d7e312a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
086d792ee827864125e498d5a1737e08

SHA1
6465b3cdc6095e2ce0bb2f6bc496198d53e28f82

SHA256
2999db9e3f632037cfc5ad74bcc7b653d0c142ed4719ddfc3c860dafc67048d3

SHA512
79b7219881cd508a66bb73f969a4bc33d4b9fa195288bf89d54a49d58d9bc1873813712bdb0c519b4d92ca2bacc25629010cb82475f2d28152d5860273234dbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
63efb1f50aa3d6bfefaaa8f146f9e61f

SHA1
845f3af6675cba03e4a58fdeaa1eb40bb3379c65

SHA256
65c0a21ac68d1ca9a3ba8d9fb8b7c6a36d280fd8e14fa1d1670e6c6f265888e7

SHA512
f2719bfa46731339afdba81aa2376c0ce3bc29650e8e4461741c57746590d8903e1f1d640224a471caae9d9a7811a4c89dabd98361b5c71016293d92894718e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
33caed3a63e8702c2c0abe27e283d74a

SHA1
9aae2947fa9d31309ead753a97f933263b85f260

SHA256
e7d4fbbf683785cfe0f4eaf386ed12f090919424b09522774ec0c5add26c57a3

SHA512
166b5809021180cbecc6588df818606e4fe9b29b3536498ce20d6d3f4c2aa0d4d7810943cda1e8e2c05d3fbfc21270952b0e79b36dfd94d26ad0faea566137d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
512KB

MD5
1704d7a29507a6318d65a35bc403a289

SHA1
5e288d7dc06e12c71948fa997179eed59a158785

SHA256
2a12e93b4ac14b61bdeea0984e6aec2d0c4e4409e98b2185e19dd1f54bcc6a09

SHA512
16d028f8434ea3745731c13b531bebd739c9fcf1e333b8f9d7d95ddd79ce70640c47fc3d6376b26bb1ffc7d4bb458edb71b25d55d8e1ea603a964d69fd18c8d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
c1bea1d38407ee2b569324b916975d03

SHA1
d1a9549656033c81dbac685c705b888d6ab450d9

SHA256
bc4c714b4d77515c71d632e8ea2470b6ec99fbe205654b8b367dc8663fd0bd77

SHA512
abab1b301813e9f797cfba489770b57e573aa093bd0941878cf02c3db2267f71619a9b7e179448a0ac1ccfbefc3d16a80cdf29476f78f737f6e155c5fc9ec14b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
0fab6392f60d5013167899bf64c9d9e5

SHA1
a7e8494739531f92d489e21d7d763297e55e193d

SHA256
8a3297cba09d7b4c6f4d798e258a67dd1c143bcc821da38031895de46c308eda

SHA512
fd7531ac862eeba9f69c34069d59721421f58be6cd0d1e4b15da11733cf92b99946dde5efc6fdf7827490637945437242dae7ed861025cff35c5f7b70cac8fa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
90ac4b108699660b52e609dffc803983

SHA1
549a5fe3cd75efba9d4bc19fb049d4982f6f2bdb

SHA256
dde39908f0e4964c8944c44809729ca695d330183c1d883f7638f533b5ca1173

SHA512
e17ffc84338c4f47299aaf34597bd0356b45ef528387a8f65fc337ed30973001372985d2077aea9eb0e5ed577283db0ea482757bd7f82c0bc26947d6fa367bc6

Download Submit
C:\Users\Admin\Downloads\Ransomware.Cryptowall.zip

Filesize
100KB

MD5
8710ea46c2db18965a3f13c5fb7c5be8

SHA1
24978c79b5b4b3796adceffe06a3a39b33dda41d

SHA256
60d574055ae164cc32df9e5c9402deefa9d07e5034328d7b41457d35b7312a0e

SHA512
c71de7a60e7edeedbdd7843a868b6f5a95f2718f0f35d274cf85951ee565ef3ba1e087881f12aeede686ce6d016f3fd533b7ef21d878a03d2455acc161abf583

Download Submit
C:\Users\Admin\Downloads\Ransomware.RedBoot.zip

Filesize
1.2MB

MD5
51250dabf7df7832640e4a680676cb46

SHA1
74ba41bb17af6e5638171f7a6d9d49e978d8d3b3

SHA256
7fa2bf61405ac573a21334e34bf713dcb5d1fc0c72674e6cebc48d33a4a14d44

SHA512
43f898d7e5752312a79138dcce94c117a20fb6efd9e522fc1ed3cc2d407d13cacf5b6f810c7c1966c4c03217aeb51fce641feb31b26620ff239756132b17f57a

Download Submit
memory/2324-407-0x0000000009BF0000-0x0000000009C00000-memory.dmp

Filesize
64KB

Download
memory/2324-411-0x0000000009BF0000-0x0000000009C00000-memory.dmp

Filesize
64KB

Download
memory/2324-412-0x0000000009BF0000-0x0000000009C00000-memory.dmp

Filesize
64KB

Download
memory/2324-404-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/2324-409-0x0000000009BF0000-0x0000000009C00000-memory.dmp

Filesize
64KB

Download
memory/2324-410-0x0000000009BF0000-0x0000000009C00000-memory.dmp

Filesize
64KB

Download
memory/2324-408-0x0000000009BF0000-0x0000000009C00000-memory.dmp

Filesize
64KB

Download
memory/2324-406-0x0000000009BF0000-0x0000000009C00000-memory.dmp

Filesize
64KB

Download
memory/2324-405-0x0000000009BF0000-0x0000000009C00000-memory.dmp

Filesize
64KB

Download
memory/3972-467-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4244-645-0x0000000000FC0000-0x000000000124E000-memory.dmp

Filesize
2.6MB

Download
memory/4244-423-0x0000000000FC0000-0x000000000124E000-memory.dmp

Filesize
2.6MB

Download
memory/4664-306-0x00007FFB77000000-0x00007FFB780B0000-memory.dmp

Filesize
16.7MB

Download
memory/4664-303-0x00007FF63E590000-0x00007FF63E688000-memory.dmp

Filesize
992KB

Download
memory/4664-304-0x00007FFB7BEC0000-0x00007FFB7BEF4000-memory.dmp

Filesize
208KB

Download
memory/4664-305-0x00007FFB7BC00000-0x00007FFB7BEB6000-memory.dmp

Filesize
2.7MB

Download
memory/4756-472-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads